S0462: CARROTBAT
Analyst context for executives and security teams
CARROTBAT matters because it is described as a Windows dropper: its value to an adversary is enabling follow-on malware installation, including SYSCON, rather than being the final objective itself. For leaders, the practical question is whether defenses can spot early-stage delivery and staging behavior before additional tools are installed and evidence is deleted or obfuscated.
Executive priority
Prioritize this as a readiness and resilience issue, not just a malware-name issue. Because ATT&CK provides no official detection guidance and no tactic list for the malware object, teams should validate coverage against the mapped behaviors: command execution, obfuscation, encoded files, file transfer, system discovery, and file deletion. This supports incident decision-making, audit evidence for endpoint monitoring, and budget decisions around Windows endpoint visibility and response capability.
Technical view
CARROTBAT is a Windows malware object mapped to use Command Obfuscation, Encrypted/Encoded File, Windows Command Shell, File Deletion, System Information Discovery, and Ingress Tool Transfer. SOC and IR teams should test whether they can correlate suspicious cmd.exe activity with encoded or obfuscated artifacts, newly introduced files, host discovery commands, and subsequent cleanup. Because the official object does not provide detections, analytics should be behavior-based and validated against local baselines rather than relying only on CARROTBAT signatures.
Likely telemetry
- Windows endpoint process creation telemetry, especially command-line arguments for cmd.exe
- File creation, modification, encoding/encryption indicators, and deletion events on Windows hosts
- Endpoint detection logs showing dropped executables, scripts, or non-native files
- Network or proxy evidence of externally transferred tools or files where available
- Host inventory and system information query activity
Detection direction
- Validate detections for suspicious Windows Command Shell execution with obfuscated or unusual command-line content.
- Correlate encoded/encrypted files with process execution and subsequent file deletion to reduce dependence on static signatures.
- Look for staging patterns: external file transfer followed by execution, discovery, and cleanup on the same host.
- Tune for false positives from administrative scripts, software deployment tools, and legitimate cleanup jobs by using signer, parent process, user context, and change window context.
- Treat CARROTBAT family naming as enrichment; coverage should be measured against the mapped ATT&CK behaviors because MITRE provides no official detection text for this object.
Mitigation priorities
- Ensure Windows endpoints collect process, command-line, file, and deletion telemetry needed for investigation.
- Harden and monitor script and command-shell use, especially where business workflows do not require interactive shell activity.
- Restrict unauthorized tool transfer paths and review egress controls where they can provide evidence of external file retrieval.
- Maintain endpoint prevention and response controls capable of blocking or containing suspicious droppers and follow-on payload installation.
- Prepare IR playbooks to preserve volatile evidence quickly, since mapped behavior includes file deletion and obfuscation.
Analyst notes and limits
The supplied ATT&CK description identifies CARROTBAT as a customized dropper in use since at least 2017, used to install SYSCON, with infrastructure overlap with KONNI. The relationship set is the main source of defensive value here because it shows the behaviors defenders should validate even when malware-specific detection content is absent.
ATT&CK does not provide official detection guidance, aliases, labels, or tactics for the CARROTBAT malware object in the supplied fields. The external references are campaign reports, but this summary does not infer current activity, attribution, targeting, or guaranteed detection coverage. Local telemetry, asset exposure, and incident evidence are required to determine relevance in a specific environment.
CARROTBAT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | CARROTBAT has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture.CitationUnit 42 CARROTBAT November 2018CitationUnit 42 CARROTBAT January 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | CARROTBAT has the ability to execute command line arguments on a compromised host.CitationUnit 42 CARROTBAT January 2020 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | CARROTBAT has the ability to execute obfuscated commands on the infected host.CitationUnit 42 CARROTBAT November 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1070.004 | File Deletion Sub-technique | CARROTBAT has the ability to delete downloaded files from a compromised host.CitationUnit 42 CARROTBAT November 2018 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | CARROTBAT has the ability to download a base64 encoded payload.CitationUnit 42 CARROTBAT November 2018 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | d71058e9dfdc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit 42 CARROTBAT November 2018
Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.
Open source URL -
[2]
Unit 42 CARROTBAT January 2020
McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.
Open source URL -
[3]
mitre-attack S0462Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.